The present invention discloses methods for effective network-security inspection in virtualized environments, the methods including the steps of: providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; intercepting the data packet by a sending security agent associated with the sending virtual machine; injecting the data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses the virtual switch; forwarding the data packet to the security virtual machine by employing a packet-forwarding mechanism; determining, by the security virtual machine, whether the data packet is allowed for transmission; upon determining the data packet is allowed, injecting the data packet back into the sending security agent via the direct transmission channel; and forwarding the data packet to the receiving virtual machine via the virtual switch.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for effective network-security inspection of virtual traffic over a network, in virtualized environments, the method comprising the steps of: (a) providing a data packet, embodied in machine-readable signals, being sent from a sending virtual machine to a receiving virtual machine via a virtual switch; (b) intercepting said data packet by a sending security agent associated with said sending virtual machine; (c) injecting said data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses said virtual switch; (d) forwarding said data packet to said security virtual machine by a network interface card (NIC), said forwarding by said NIC including buffering and aggregating packets to increase performance of data packet traffic over said network; (e) determining, by said security virtual machine, whether said data packet is allowed for transmission; (f) upon determining said data packet is allowed, injecting said data packet back into said sending security agent via said direct transmission channel; (g) forwarding said data packet to said receiving virtual machine via said virtual switch; and, (h) prior to said step (f), upon determining said data packet is allowed, tagging said data packet as a security-cleared packet; and wherein said step (g) includes: (i) intercepting said security-cleared packet by a receiving security agent associated with said receiving virtual machine; (ii) inspecting, by said receiving security agent, whether an incoming packet has a security-cleared tag; (iii) upon determining said incoming packet has said security-cleared tag, transmitting said incoming packet to said receiving virtual machine; (iv) upon determining said incoming packet does not have said security-cleared tag, forwarding said incoming packet to said security virtual machine; and, (v) performing said steps (e)-(g) on said incoming packet.
A method for network security inspection in virtualized environments involves sending a data packet from a sending virtual machine to a receiving virtual machine through a virtual switch. A sending security agent intercepts this packet and injects it into a security virtual machine (SVM) through a direct channel, bypassing the virtual switch. A network interface card (NIC) then forwards the packet to the SVM, buffering and aggregating packets for performance. The SVM determines if the packet is allowed. If allowed, the packet is tagged as "security-cleared" and injected back into the sending security agent via the direct channel, and then forwarded to the receiving virtual machine via the virtual switch. A receiving security agent intercepts this security-cleared packet, checks for the security-cleared tag, transmits the packet to the receiving virtual machine if tagged, or forwards the packet to the SVM for processing if not tagged, repeating the SVM's inspection.
2. The method of claim 1 , wherein said security virtual machine includes at least one security component selected from the group consisting of: a firewall, an Intrusion Prevention System (IPS), an Intrusion Detection System (IDS), a Data-Loss Prevention DLP) system, a Virtual Private Network (VPN), a Uniform Resource Locator (URL) filter, a malware filter, and a web filter.
The network security inspection method, as described in the previous claim, utilizes a security virtual machine that includes one or more security components such as a firewall, Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Data-Loss Prevention (DLP) system, Virtual Private Network (VPN), Uniform Resource Locator (URL) filter, malware filter, or web filter. These components enable the security virtual machine to perform a variety of security checks and enforce security policies on network traffic within the virtualized environment.
3. The method of claim 1 , wherein said packet-forwarding mechanism is a standard packet-transmittal mechanism provided by a hypervisor virtualization infrastructure.
The network security inspection method, as described previously, uses a packet-forwarding mechanism that's a standard packet-transmittal method provided by the hypervisor, the underlying virtualization infrastructure. This means the communication between the sending security agent and the security virtual machine leverages the hypervisor's built-in networking capabilities, without requiring custom or specialized forwarding logic.
4. The method of claim 1 , wherein said packet-forwarding mechanism is a direct interface into said security virtual machine.
The network security inspection method, as described previously, utilizes a packet-forwarding mechanism that offers a direct interface into the security virtual machine. Instead of relying on standard networking pathways, this approach provides a dedicated communication channel directly to the SVM, potentially reducing latency and overhead.
5. The method of claim 4 , wherein said direct interface is configured to utilize a component selected from the group consisting of: a memory module, a cache memory module, and an associated network interface card (NIC) resource.
The network security inspection method with a direct interface to the security virtual machine, as described previously, configures that direct interface to utilize a memory module, a cache memory module, or an associated network interface card (NIC) resource. This allows for efficient data transfer between the sending security agent and the security virtual machine, potentially improving inspection performance.
6. The method of claim 1 , wherein said sending virtual machine and said receiving virtual machine share a common physical machine.
The network security inspection method, as described previously, is applicable even when the sending and receiving virtual machines are running on the same physical hardware. This means the security inspection process functions regardless of whether the virtual machines are communicating internally within a single server or across a network of servers.
7. The method of claim 1 , the method further comprising the steps of: (i) prior to said step (c), determining, by said sending security agent, whether said data packet is allowed for transmission; (j) implementing a security-processing mechanism, by said sending security agent, on said data packet; (k) by said sending security agent: upon determining said data packet needs further security processing, continuing to said step (c); (l) by said sending security agent: upon determining said data packet is not allowed, dropping said data packet; and (m) by said sending security agent: upon determining said data packet is allowed, continuing to said step (g).
In addition to the network security inspection method described previously, the sending security agent first determines if a data packet is allowed for transmission before sending it to the security virtual machine. The sending security agent may implement a security-processing mechanism on the data packet. If further security processing is needed, the data packet is sent to the SVM. If the packet is not allowed, it is dropped. If the packet is allowed by the sending security agent, it bypasses the SVM, going directly to the receiving virtual machine via the virtual switch after local inspection.
8. A non-transitory computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising: (a) program code for intercepting a data packet embodied in machine-readable signals, transmitted over a network, said data packet being sent from a sending virtual machine to a receiving virtual machine, by a sending security agent associated with said sending virtual machine via a virtual switch; (b) program code for injecting said data packet into an inspecting security agent associated with a security virtual machine via a direct transmission channel which bypasses said virtual switch; (c) program code for causing forwarding of said data packet to said security virtual machine by a network interface card (NIC), said forwarding by said NIC including buffering and aggregating packets to increase performance of data packet traffic over said network; (d) program code for determining, by said security virtual machine, whether said data packet is allowed for transmission; (e) program code for, upon determining said data packet is allowed, injecting said data packet back into said sending security agent via said direct transmission channel; (f) program code for forwarding said data packet to said receiving virtual machine via said virtual switch; and, (g) program code for, prior to executing said program code (e), upon determining said data packet is allowed, tagging said data packet as a security-cleared packet; and wherein said program code (f) further includes: (i) program code for intercepting said security-cleared packet by a receiving security agent associated with said receiving virtual machine; (ii) program code for inspecting, by said receiving security agent, whether an incoming packet has a security-cleared tag; (iii) program code for, upon determining said incoming packet has said security-cleared tag, transmitting said incoming packet to said receiving virtual machine; (iv) program code for, upon determining said incoming packet does not have said security-cleared tag, forwarding said incoming packet to said security virtual machine; and (v) program code for performing said program code (d)-(f) on said incoming packet.
A non-transitory computer-readable storage medium stores code for network security inspection in virtualized environments. The code intercepts a data packet sent from a sending virtual machine to a receiving virtual machine via a virtual switch, using a sending security agent. It injects the packet into a security virtual machine (SVM) through a direct channel, bypassing the virtual switch. A NIC forwards the packet to the SVM, buffering and aggregating packets for performance. The SVM determines if the packet is allowed, and if so, tags it as "security-cleared" and injects it back into the sending security agent via the direct channel, before forwarding to the receiving VM. The receiving security agent intercepts this packet, checks for the tag, transmits if tagged, or forwards to the SVM if not, repeating the SVM's inspection.
9. The storage medium of claim 8 , wherein said security virtual machine includes at least one security component selected from the group consisting of: a firewall, an Intrusion Prevention System (IPS), an Intrusion Detection System (IDS), a Data-Loss Prevention (DLP) system, a Virtual Private Network (VPN), a Uniform Resource Locator (URL) filter, a malware filter, and a web filter.
The storage medium described previously, for network security inspection, contains code for a security virtual machine that includes components like a firewall, Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Data-Loss Prevention (DLP) system, Virtual Private Network (VPN), Uniform Resource Locator (URL) filter, malware filter, or web filter. These components enable the SVM to perform various security checks on network traffic.
10. The storage medium of claim 8 , wherein said packet-forwarding mechanism is a standard packet-transmittal mechanism provided by a hypervisor virtualization infrastructure.
The storage medium for network security inspection, as described previously, contains code that uses a packet-forwarding mechanism that is a standard packet-transmittal method provided by the hypervisor. The hypervisor's built-in networking handles the communication between the sending security agent and the security virtual machine.
11. The storage medium of claim 8 , wherein said packet-forwarding mechanism is a direct interface into said security virtual machine.
The storage medium for network security inspection, as described previously, contains code that uses a packet-forwarding mechanism providing a direct interface into the security virtual machine. This direct channel offers a dedicated communication path, potentially reducing latency.
12. The storage medium of claim 11 , wherein said direct interface is configured to utilize a component selected from the group consisting of: a memory module, a cache memory module, and an associated network interface card (NIC) resource.
The storage medium for network security inspection with a direct interface to the security virtual machine, as described previously, contains code that configures that direct interface to use a memory module, a cache memory module, or an associated network interface card (NIC) resource for efficient data transfer.
13. The storage medium of claim 8 , wherein said sending virtual machine and said receiving virtual machine share a common physical machine.
The storage medium for network security inspection, as described previously, contains code that functions regardless of whether the sending and receiving virtual machines are running on the same physical machine or different machines.
14. The storage medium of claim 8 , the computer-readable code further comprising: (h) program code for, prior to said program code (b), determining, by said sending security agent, whether said data packet is allowed for transmission; (i) program code for, implementing a security-processing mechanism, by said sending security agent, on said data packet; (j) program code for, by said sending security agent: upon determining said data packet needs further security processing, continuing to said program code (b); (k) program code for, by said sending security agent: upon determining said data packet is not allowed, dropping said data packet; and (l) program code for, by said sending security agent: upon determining said data packet is allowed, continuing to said program code (f).
The storage medium for network security inspection, as described previously, contains code that, before sending a packet to the security virtual machine, determines if the sending security agent considers the packet allowed. The sending security agent can implement security processing. If further processing is needed, the packet goes to the SVM; if disallowed, the packet is dropped; otherwise, it's sent directly to the receiving virtual machine after local inspection, bypassing the SVM.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 23, 2009
June 6, 2017
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.